Since there is no such thing as 100% security, investments in it never seem to be enough. In regards to budgeting, the role of a CISO is to prioritize available resources based on the IT risks the organization faces and justify additional investments when needed to the executives. Easier said than done. Many CISOs still struggle to articulate the value of their current and future security projects when attempting to argue for more budget. The key to a successful pitch is to conduct accurate research and start speaking the language your board is so fluent in — the language of numbers and business benefits. This brief 3-step guide offers tips for convincing executives to increase your budget.
Step 1: Assess your IT risks
Before asking for additional investments, you should check whether your current resources are allocated correctly to address the actual risks your organization is exposed to, whether those risks are prioritized well and what your level of remaining risk exposure is.
For this reason, you should conduct regular IT risk assessments. The procedure might seem very complex, but you can keep it simple at first: Identify threat/vulnerability pairs and determine the level of the risk they pose to your organization. This level will be based on the following:
- The likelihood that the threat will exploit the vulnerability
- The impact of the threat successfully exploiting the vulnerability
- The adequacy of the existing or planned information system security controls for eliminating or reducing the risk
This assessment will enable you to determine which risks are sufficiently addressed by your current IT controls and what security gaps remain that require additional efforts and investments. With that information, you will be better able to prioritize risks and allocate resources wisely.
To this classic way IT risk assessment process, I would add regular review of your risk profile versus your industry peers. These peer comparisons will give you a heads-up on the threats your peers encounter and how they address them. For instance, if one of your competitors recently experienced a data breach, instead of gloating about their failure, you should investigate whether you have the same weakness and what you must do to mitigate it. In addition, you should scrutinize research from analysts such as Gartner that summarizes security execution in different industries, so you can know what the best practices are.
By accurately assessing risks for your organization and your industry in general, you will be able to prepare a roadmap for eliminating the critical security gaps in your posture and build a coherent argument to get additional budget.
Step 2: Communicate security issues to the decision-makers
Now you are ready to talk to your executives. It is best to start with your security status: Briefly describe your IT risks roadmap and explain exactly what you are doing to address current risks, showing that you are using the technologies and human resources you have to the maximum.
To demonstrate the effectiveness of your security controls, you can use a variety of metrics, for instance, MTTD (mean time to detect), MTTR (mean time to repair), number of incidents and vulnerabilities discovered versus the number remediated, money savings due to remediation, mean time between security incidents, percent of changes with security review and so on.
Then it is time to highlight the most acute security gaps that leave your organization vulnerable to current threats and request money to address them. The key to success is to clearly explain and, whenever possible, quantify the business impact of the security incidents that could result if those security risks are left unaddressed.
For instance, suppose your sales managers often work remotely via VPN. However, VPN makes processes very slow, so occasionally they opt for third-party solutions like Dropbox or Google Drive instead. Working with confidential partner and customer data through these means puts that data at risk, because you have no control over activity around it and might miss potentially harmful actions that could lead to a breach. You estimate the cost of such an incident to be X millions of dollars, noting that that figure includes just detection, investigation and regulatory fines, and not the negative public sentiment, downtime and legal costs that the company could also incur.
Step 3: Offer a solution and highlight benefits
Provide a clear, actionable plan for how you are going to use the budget you request to reduce the IT risks you identified to a level acceptable to the business. This plan must include resources (people, technologies, etc.), deadlines and a detailed budget that says how much money will be spent on what.
To support your argument, you should estimate the expected return on security investment (ROSI) for your planned investments in order to prove their effectiveness in balancing risk and cost. You can base this calculation on direct prevention of financial losses, as we just discussed. The best way is to use the SANS Institute’s quantitative risk analysis formula. It estimates ROSI by quantifying how well the solution mitigates the risks it is intended to address and how much money can be saved due to the reduced risk exposure. Even if the estimate isn’t completely accurate, using the same scoring algorithm over time is a good way to compare the return on your security projects.
Apart from underlining the losses the company might avoid, it is great if you can translate the value that your security project can bring to the business. In other words, try to present your budget requests to the board as opportunities for assisting in meeting their business objectives, such as reducing costs, increasing revenue or increasing the company’s value on the market. If you can calculate these values in numbers, your case will be even stronger.
Let’s go back to my previous example. To reduce the risk posed to the confidential data caused by sales managers bypassing the VPN and using Dropbox, you propose moving the data to a cloud repository and deploying a cloud access security broker (CASB) solution. The CASB will help you ensure that traffic between your environment and the cloud provider’s complies with your security policies. If your executives agree to invest in this solution, you will reduce the risk of monetary loss from a breach, which you estimate at $X, based on your previous estimate of the cost of a data breach and your ROSI calculation. To put the icing on the cake, you can enumerate the following additional benefits:
- Users will be able to access cloud services seamlessly and do their job more efficiently.
- The compliance team will have full control over activity in the cloud, so your company will stay compliant. Moreover, audit preparation and audits themselves will take far less time, so there will be no need to hire additional employees to help with those tasks.
- By having a centralized view of cloud services, the IT department might be able detect services that are rarely or never used and cancel them to reduce costs.
These benefits will make your pitch unbearably good.
Arguing for investments in security projects is quite a challenge. Executives will not be swayed by vague promises or crystal ball predictions; you need to provide hard data that illuminates how a fortified security posture can help the business prosper. Plus, you must understand the market and your organization’s objectives very well, because it will help you identify the most business-critical risks and better articulate benefits that your board cares about.